Closed
Bug 1205479
Opened 9 years ago
Closed 9 years ago
Todoist extension is sending all the sites a user visits to a webapp hosted on an insecure server
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
44.2
People
(Reporter: mossop, Assigned: jorgev)
Details
(Whiteboard: [qa-])
I'm not sure if this should be a blocklisting thing, or a case where we get them to update their code. At the very least seems like they should be required to have a privacy policy.
I was looking in my browser console and discovered a startling number of unsafe CPOW warnings coming from Todoist even when not interacting with Firefox in any way. Looking at the code I found this gem:
setInterval(function() {
var frame_href = XULTodoistFirefox.TODOIST_ELM.contentDocument.location.href;
if(frame_href.indexOf('/app') != -1) {
if(XULTodoistFirefox.last_location != content.location.href) {
var data_to_send = {};
data_to_send['href'] = content.location.href;
data_to_send['title'] = content.document.title;
data_to_send['type'] = 'T_FIREFOX_MESSAGE';
var data_to_string = JSON.stringify(data_to_send);
XULTodoistFirefox.TODOIST_ELM.contentDocument.defaultView.postMessage(data_to_string, '*');
XULTodoistFirefox.last_location = content.location.href;
}
}
}, 300);
For context Todoist opens a sidebar showing a slim version of their webapp. Once opened this interval starts and every 30ms it grabs the url and title of the current opened tab and if it differs from the last uses postMessage to send it to the webapp. Also the webapp is hosted on an insecure webserver. Also it does this even if the sidebar is closed.
Marking as security sensitive for now since this allows a MITM attack to get any Todoist user's browsing data.
|
Reporter | |
Comment 1•9 years ago
|
||
I should add that there doesn't seem to be any good reason why they would need to see every url the user visits. The sidebar has an option to create a task from a website which would need the url but that could be requested when needed.
|
Assignee | |
Comment 2•9 years ago
|
||
Thanks. I sent a message to the developer via AMO, giving them some time to fix the add-on. If they don't comply within two weeks, the add-on will be blocked. If the add-on is updated to a safe version, we will block the old versions once most users have updated.
Assignee: nobody → jorge
|
|
Assignee | |
Comment 3•9 years ago
|
||
Group: addons-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Target Milestone: --- → 44.2
|
||
Updated•9 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•